Article: DownLite (VSearch) Mac Adware

by on September 4, 2014

I’m hoping that linking to this will maybe get it to show up on more search results—basically there is a new piece of adware making the rounds for Mac OS X that almost always gets installed when someone tries to watch TV or movies from less than official sources. Basically, it’s a small program that runs in the background and redirects browser traffic and generates popup windows. It also prevents the saving of some Safari settings.

For it to install, the user must still enter an administrator user name and password, so always be sure what you’re actually installing.

Thomas Reed on The Safe Mac explains how to get rid of it—fairly easy compared to cleaning out most Windows malware:

Move the following items to the trash. Note that removing many of these files will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. If you are not, you will be unable to remove some of them. Also, some of these files may not be present in all variants of this adware. If you don’t know how to locate a file based on the path given below, you should read Locating files from paths.

/Library/Application Support/VSearch
/Library/LaunchAgents/com.vsearch.agent.plist
/Library/LaunchDaemons/com.vsearch.daemon.plist
/Library/LaunchDaemons/com.vsearch.helper.plist
/Library/LaunchDaemons/Jack.plist
/Library/PrivilegedHelperTools/Jack
/System/Library/Frameworks/VSearch.framework

The puzzling thing is that this doesn’t get picked up by Apple’s Gatekeeper function – Linc Davis on a thread on Apple’s Support Communities found the reason:

You may be wondering why you didn’t get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the DownLite developer has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it’s aware of the problem. This failure of oversight is inexcusable and has compromised both Gatekeeper and the Developer ID program. You can’t rely on Gatekeeper alone to protect you from harmful software.

So, the question is, why hasn’t Apple revoked DownLite/VSearch/Conduit’s certificate since it’s a known malware item?

I wouldn’t go so far as to say that we should all panic and lose sleep over malware, but it is worth remembering to only download and install software from sources you trust. Furthermore, when a dialog box prompts you for an administrator user name and password, make sure that you know why.

This post has been filed in Articles